NIST cloud guidelines address security, privacy concerns

Cloud computing is a cost-cutting solution for agencies in the age of austerity. The cloud gives agencies access to shared resources and the ability to pay for only the capacity they need.

But can agencies ensure security and privacy in the cloud?

The National Institute of Standards and Technology published two draft documents on privacy and security, following the Office of Management and Budget's endorsement of a "cloud first" policy.

Lee Badger, a computer scientist at NIST, and Tim Grance, a senior computer scientist at NIST, joined the DorobekINSIDER to explain how agencies can take advantage of the costs and efficiencies of moving to the cloud while maintaining security and privacy.

Grance said that defining the goals and needs of security are up to the user, not the cloud vendor. People also remain responsible for privacy and security of their data, even if it is in someone else's environment.

Badger said agencies can protect themselves by, first, being well-informed about their needs and the cloud vendors' capabilities. Also, agencies must use their contracts with vendors to ensure security and privacy needs are met.

Contracts include two kinds of service level agreements - the most common is something you can simply accept or not accept, Badger said. With the other kind of SLA, the user negotiates the details with the cloud provider.

"You really do have to scrutinize the details," Badger said.

The guidelines proposed by NIST are just that - proposals. NIST is seeking comments from the public through Feb. 28 via email.

Grance said NIST seeks technical comments on their draft documents, but also other comments that address cost-efficiency and innovation.

"Of course we're happy to take any comment people are willing to make," he said.

The public can also contribute to a wiki that includes sections on architecture, use cases and

"We encourage that very robust public and private collaboration," Grance said.